31e9539c07c2cdd18cf9ac5beb00b73135847e7b648701d58bd8817ec80dad59

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\ = "Brave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\StubPath = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\125.1.66.110\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}\Localized Name = "Brave"	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

BraveUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe	BraveUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe\DisableExceptionChainValidation = "0"	BraveUpdate.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

brave.exeBraveUpdate.exebrave.exebrave.exebrave.exebrave.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	BraveUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	brave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	brave.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

brave.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	brave.exe

Drops file in Program Files directory 64 IoCs

Processes:

BraveBrowserSetup-BRV029.exesetup.exebrave.exeBraveUpdate.exeBraveUpdate.exechrmstp.exe

description	ioc	process
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_ta.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_cs.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\hu.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_1413165368\manifest.fingerprint	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\psuser.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\uk\messages.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_1139140970\manifest.fingerprint	brave.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\hr\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\ro\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_hu.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\ru.pak	setup.exe
File created	C:\Program Files\chrome_url_fetcher_3064_1745241936\extension_1_0_1602.crx	brave.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_1139140970\1\scripts\brave_rewards\publisher\twitter\twitterAutoContribution.bundle.js	brave.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_fi.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_lv.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\am.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\notification_helper.exe	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\gu\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_id.dll	BraveUpdate.exe
File opened for modification	C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\brave_installer-x64.exe	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_hr.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_iw.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_ro.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_1139140970\1\scripts\brave_rewards\publisher\reddit\redditBase.bundle.js	brave.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\pl.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\sr\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_de.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_sl.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_sw.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\psmachine.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\kn.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\ml.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\lt\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\th\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_fr.dll	BraveUpdate.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_hi.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\brave_100_percent.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\cs.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\fa.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_1139140970\1\scripts\brave_rewards\publisher\github\githubBase.bundle.js	brave.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_fil.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\lt.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\sl.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_918771753\nadeem-choudhary-1.jpg	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_bg.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\goopdateres_zh-CN.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\mr\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\he\messages.json	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\nb\messages.json	setup.exe
File created	C:\Program Files\chrome_url_fetcher_3064_1190858044\extension_1_0_6767.crx	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\BraveUpdateOnDemand.exe	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_da.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\gu.pak	setup.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\Locales\ko.pak	setup.exe
File created	C:\Program Files\chrome_url_fetcher_3064_1398305988\hfnkpimlhhgieaddgfemjhofmfblmnib_8773_all_adper4ufxsed6nncoak7wi247fna.crx3	brave.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3064_918771753\eric-patterson-1.jpg	brave.exe
File created	C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\psmachine_arm64.dll	BraveBrowserSetup-BRV029.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\ur\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\goopdateres_kn.dll	BraveUpdate.exe
File created	C:\Program Files\BraveSoftware\Brave-Browser\Temp\source944_745566631\Chrome-bin\125.1.66.110\resources\brave_extension\_locales\de\messages.json	setup.exe
File created	C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveCrashHandlerArm64.exe	BraveUpdate.exe

Executes dropped EXE 44 IoCs

Processes:

BraveUpdate.exeBraveUpdate.exeBraveUpdate.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exeBraveUpdate.exeBraveUpdate.exeBraveUpdate.exebrave_installer-x64.exesetup.exesetup.exesetup.exesetup.exeBraveUpdate.exeBraveUpdateOnDemand.exeBraveUpdate.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exe

pid	process
4672	BraveUpdate.exe
4848	BraveUpdate.exe
1196	BraveUpdate.exe
2008	BraveUpdateComRegisterShell64.exe
1224	BraveUpdateComRegisterShell64.exe
4160	BraveUpdateComRegisterShell64.exe
1248	BraveUpdate.exe
2380	BraveUpdate.exe
2132	BraveUpdate.exe
840	brave_installer-x64.exe
944	setup.exe
1944	setup.exe
2252	setup.exe
1492	setup.exe
2920	BraveUpdate.exe
812	BraveUpdateOnDemand.exe
4056	BraveUpdate.exe
3064	brave.exe
1616	brave.exe
1676	brave.exe
4532	brave.exe
4572	brave.exe
2776	brave.exe
2488	brave.exe
2256	brave.exe
1052	brave.exe
3216	brave.exe
1392	brave.exe
3276	brave.exe
1900	brave.exe
2204	brave.exe
816	brave.exe
3084	brave.exe
5492	brave.exe
772	chrmstp.exe
5780	chrmstp.exe
5536	chrmstp.exe
5584	chrmstp.exe
6032	brave.exe
6060	brave.exe
2524	brave.exe
1960	brave.exe
5564	brave.exe
4896	brave.exe

Loads dropped DLL 64 IoCs

Processes:

BraveUpdate.exeBraveUpdate.exeBraveUpdate.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exeBraveUpdate.exeBraveUpdate.exeBraveUpdate.exeBraveUpdate.exeBraveUpdate.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exebrave.exe

pid	process
4672	BraveUpdate.exe
4848	BraveUpdate.exe
1196	BraveUpdate.exe
2008	BraveUpdateComRegisterShell64.exe
1196	BraveUpdate.exe
1224	BraveUpdateComRegisterShell64.exe
1196	BraveUpdate.exe
4160	BraveUpdateComRegisterShell64.exe
1196	BraveUpdate.exe
1248	BraveUpdate.exe
2380	BraveUpdate.exe
2132	BraveUpdate.exe
2132	BraveUpdate.exe
2380	BraveUpdate.exe
2920	BraveUpdate.exe
4056	BraveUpdate.exe
4056	BraveUpdate.exe
3064	brave.exe
1616	brave.exe
3064	brave.exe
1676	brave.exe
4532	brave.exe
1676	brave.exe
4532	brave.exe
1676	brave.exe
1676	brave.exe
1676	brave.exe
4572	brave.exe
4572	brave.exe
1676	brave.exe
1676	brave.exe
1676	brave.exe
2776	brave.exe
2488	brave.exe
2776	brave.exe
2256	brave.exe
1052	brave.exe
2256	brave.exe
1052	brave.exe
2488	brave.exe
3216	brave.exe
3216	brave.exe
1392	brave.exe
1392	brave.exe
3276	brave.exe
3276	brave.exe
1900	brave.exe
1900	brave.exe
2204	brave.exe
816	brave.exe
2204	brave.exe
816	brave.exe
3084	brave.exe
3084	brave.exe
5492	brave.exe
5492	brave.exe
6032	brave.exe
6060	brave.exe
6060	brave.exe
6032	brave.exe
2524	brave.exe
1960	brave.exe
2524	brave.exe
1960	brave.exe

Registers COM server for autorun 1 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

BraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exesetup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32\ = "\"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\125.1.66.110\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32\ = "C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\psmachine_64.dll"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC03C0E4-1528-4299-89B2-419644FA48AC}\InprocServer32\ThreadingModel = "Both"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06C9646D-2807-44C0-97D2-6DA0DB623DB4}\LocalServer32\ServerExecutable = "C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\125.1.66.110\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32	BraveUpdateComRegisterShell64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

brave.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	brave.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	brave.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

brave.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607769765302444"	brave.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	brave.exe

Modifies registry class 64 IoCs

Processes:

BraveUpdate.exeBraveUpdate.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exeBraveUpdateComRegisterShell64.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebSvc\ = "BraveUpdate Update3Web"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\ProxyStubClsid32	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoreMachineClass	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebSvc.1.0\CLSID	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F6D9FE5-6ED3-43A3-80D2-EA8766D65352}\LocalServer32\ = "\"C:\\Program Files (x86)\\BraveSoftware\\Update\\1.3.361.149\\BraveUpdateBroker.exe\""	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods\ = "11"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\NumMethods\ = "8"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}\NumMethods\ = "16"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00B16F95-319A-4F01-AC81-CE69B8F4E387}\ProgID	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598BBE98-5919-4392-B62A-50D7115F10A3}	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66CE3D6C-0B35-4F78-AC77-39728A75CB75}\Elevation	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebSvc	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ = "ICredentialDialog"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}\NumMethods	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveHTML\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC163239-EA31-458A-A7F2-DAF3C74D6596}\InProcServer32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\NumMethods\ = "23"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F234546B-DACD-4374-97CF-7BADFAB76766}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\NumMethods\ = "24"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ = "IProcessLauncher"	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\BraveFile\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBDA5D88-AA7D-4A8C-A20C-C01FADB43EDA}\InprocServer32\ThreadingModel = "Both"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ = "ICoCreateAsyncStatus"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ = "IRegistrationUpdateHook"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\ = "IGoogleUpdateCore"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.CoreMachineClass.1\ = "Google Update Core Class"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\ = "IBrowserHttpRequest2"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\NumMethods\ = "41"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebMachine\ = "Google Update Broker Class Factory"	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}\ = "IPolicyStatus"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{576B31AF-6369-4B6B-8560-E4B203A97A8B}\LocalService = "BraveElevationService"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\NumMethods	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveHTML\AppUserModelId = "Brave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebSvc\CurVer\ = "BraveSoftwareUpdate.Update3WebSvc.1.0"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A147722A-5568-4B84-B401-86D744470CBF}	BraveUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F396861E-0C8E-4C71-8256-2FAE6D759CE9}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ProxyStubClsid32	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DB7BD5-BD0B-4886-9705-174203FE0ADA}\ProxyStubClsid32\ = "{CC163239-EA31-458A-A7F2-DAF3C74D6596}"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.OnDemandCOMClassMachine.1.0\ = "Google Update Broker Class Factory"	BraveUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BraveSoftwareUpdate.Update3WebMachine	BraveUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\ = "IJobObserver"	BraveUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7FF255A-A593-41BD-A69B-E05D72B72756}\ = "Google Update Core Class"	BraveUpdate.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

BraveUpdate.exeBraveUpdate.exeBraveUpdate.exebrave.exe

pid	process
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
2380	BraveUpdate.exe
2380	BraveUpdate.exe
2920	BraveUpdate.exe
2920	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
4672	BraveUpdate.exe
3064	brave.exe
3064	brave.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

brave.exe

pid process

3064 brave.exe
3064 brave.exe
3064 brave.exe
3064 brave.exe

pid	process
3064	brave.exe
3064	brave.exe
3064	brave.exe
3064	brave.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

BraveUpdate.exebrave_installer-x64.exeBraveUpdate.exeBraveUpdate.exebrave.exe

description	pid	process
Token: SeDebugPrivilege	4672	BraveUpdate.exe
Token: SeDebugPrivilege	4672	BraveUpdate.exe
Token: SeDebugPrivilege	4672	BraveUpdate.exe
Token: SeDebugPrivilege	4672	BraveUpdate.exe
Token: 33	840	brave_installer-x64.exe
Token: SeIncBasePriorityPrivilege	840	brave_installer-x64.exe
Token: SeDebugPrivilege	2380	BraveUpdate.exe
Token: SeDebugPrivilege	2920	BraveUpdate.exe
Token: SeDebugPrivilege	4672	BraveUpdate.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe
Token: SeShutdownPrivilege	3064	brave.exe
Token: SeCreatePagefilePrivilege	3064	brave.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

brave.exechrmstp.exe

pid process

3064 brave.exe
3064 brave.exe
3064 brave.exe
5536 chrmstp.exe

pid	process
3064	brave.exe
3064	brave.exe
3064	brave.exe
5536	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BraveBrowserSetup-BRV029.exeBraveUpdate.exeBraveUpdate.exeBraveUpdate.exebrave_installer-x64.exesetup.exesetup.exeBraveUpdateOnDemand.exeBraveUpdate.exebrave.exe

description	pid	process	target process
PID 744 wrote to memory of 4672	744	BraveBrowserSetup-BRV029.exe	BraveUpdate.exe
PID 744 wrote to memory of 4672	744	BraveBrowserSetup-BRV029.exe	BraveUpdate.exe
PID 744 wrote to memory of 4672	744	BraveBrowserSetup-BRV029.exe	BraveUpdate.exe
PID 4672 wrote to memory of 4848	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 4848	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 4848	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 1196	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 1196	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 1196	4672	BraveUpdate.exe	BraveUpdate.exe
PID 1196 wrote to memory of 2008	1196	BraveUpdate.exe	BraveUpdateComRegisterShell64.exe
PID 1196 wrote to memory of 2008	1196	BraveUpdate.exe	BraveUpdateComRegisterShell64.exe
PID 1196 wrote to memory of 1224	1196	BraveUpdate.exe	BraveUpdateComRegisterShell64.exe
PID 1196 wrote to memory of 1224	1196	BraveUpdate.exe	BraveUpdateComRegisterShell64.exe
PID 1196 wrote to memory of 4160	1196	BraveUpdate.exe	BraveUpdateComRegisterShell64.exe
PID 1196 wrote to memory of 4160	1196	BraveUpdate.exe	BraveUpdateComRegisterShell64.exe
PID 4672 wrote to memory of 1248	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 1248	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 1248	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 2380	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 2380	4672	BraveUpdate.exe	BraveUpdate.exe
PID 4672 wrote to memory of 2380	4672	BraveUpdate.exe	BraveUpdate.exe
PID 2132 wrote to memory of 840	2132	BraveUpdate.exe	brave_installer-x64.exe
PID 2132 wrote to memory of 840	2132	BraveUpdate.exe	brave_installer-x64.exe
PID 840 wrote to memory of 944	840	brave_installer-x64.exe	setup.exe
PID 840 wrote to memory of 944	840	brave_installer-x64.exe	setup.exe
PID 944 wrote to memory of 1944	944	setup.exe	setup.exe
PID 944 wrote to memory of 1944	944	setup.exe	setup.exe
PID 944 wrote to memory of 2252	944	setup.exe	setup.exe
PID 944 wrote to memory of 2252	944	setup.exe	setup.exe
PID 2252 wrote to memory of 1492	2252	setup.exe	setup.exe
PID 2252 wrote to memory of 1492	2252	setup.exe	setup.exe
PID 2132 wrote to memory of 2920	2132	BraveUpdate.exe	BraveUpdate.exe
PID 2132 wrote to memory of 2920	2132	BraveUpdate.exe	BraveUpdate.exe
PID 2132 wrote to memory of 2920	2132	BraveUpdate.exe	BraveUpdate.exe
PID 812 wrote to memory of 4056	812	BraveUpdateOnDemand.exe	BraveUpdate.exe
PID 812 wrote to memory of 4056	812	BraveUpdateOnDemand.exe	BraveUpdate.exe
PID 812 wrote to memory of 4056	812	BraveUpdateOnDemand.exe	BraveUpdate.exe
PID 4056 wrote to memory of 3064	4056	BraveUpdate.exe	brave.exe
PID 4056 wrote to memory of 3064	4056	BraveUpdate.exe	brave.exe
PID 3064 wrote to memory of 1616	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1616	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe
PID 3064 wrote to memory of 1676	3064	brave.exe	brave.exe

C:\Users\Admin\AppData\Local\Temp\BraveBrowserSetup-BRV029.exe
"C:\Users\Admin\AppData\Local\Temp\BraveBrowserSetup-BRV029.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Temp\GUM44DA.tmp\BraveUpdate.exe" /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none"
  2⤵
  - Sets file execution options in registry
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
    "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:4848
- - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
    "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2008
  - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:1224
  - - C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:4160
- - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
    "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTQ5IiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE0OSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9InswMzhFMDg5RS01RkQ4LTQzMjQtQjgyMy1BMzcxOTMwMDMwRTN9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7Qjk3QzMwOEQtOTlDMy00NUNCLUE2MjgtMEUwQTczN0M4QTJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntCMTMxQzkzNS05QkU2LTQxREEtOTU5OS0xRjc3NkJFQjgwMTl9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMzYxLjE0OSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI5NTMiLz48L2FwcD48L3JlcXVlc3Q-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1248
- - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
    "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /handoff "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none" /installsource taggedmi /sessionid "{038E089E-5FD8-4324-B823-A371930030E3}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380

C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /svc
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\brave_installer-x64.exe
  "C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\brave_installer-x64.exe" --do-not-launch-chrome /installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\guiB7E8.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe
    "C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe" --install-archive="C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\CHROME.PACKED.7Z" --do-not-launch-chrome /installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\guiB7E8.tmp" --brave-referral-code="BRV029"
    3⤵
    - Modifies Installed Components in the registry
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=125.1.66.110 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff676832fe0,0x7ff676832fec,0x7ff676832ff8
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe
      "C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\guiB7E8.tmp" --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe
        
        "C:\Program Files (x86)\BraveSoftware\Update\Install\{2EAEE09E-4504-4CA7-B931-6B6FCCB6CE60}\CR_44FC7.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=125.1.66.110 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff676832fe0,0x7ff676832fec,0x7ff676832ff8
        5⤵
        Executes dropped EXE
        
        PID:1492
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNjEuMTQ5IiBzaGVsbF92ZXJzaW9uPSIxLjMuMzYxLjE0OSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9InswMzhFMDg5RS01RkQ4LTQzMjQtQjgyMy1BMzcxOTMwMDMwRTN9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgdGVzdHNvdXJjZT0iYXV0byIgcmVxdWVzdGlkPSJ7NUU3M0Q1MzAtQUMxMi00MTEzLTk3NjItQTJBMDlDN0ZFQjQ0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI4IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntBRkU2QTQ2Mi1DNTc0LTRCOEEtQUY0My00Q0M2MERGNDU2M0J9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjUuMS42Ni4xMTAiIGFwPSJyZWxlYXNlIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cHM6Ly91cGRhdGVzLWNkbi5icmF2ZXNvZnR3YXJlLmNvbS9idWlsZC9CcmF2ZS1SZWxlYXNlL3JlbGVhc2Uvd2luLzEyNS4xLjY2LjExMC94NjQvYnJhdmVfaW5zdGFsbGVyLXg2NC5leGUiIGRvd25sb2FkZWQ9IjEyNTQ5MTIyNCIgdG90YWw9IjEyNTQ5MTIyNCIgZG93bmxvYWRfdGltZV9tcz0iMjAxMzQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjcwNyIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjQwNiIgZG93bmxvYWRfdGltZV9tcz0iMjEzMzciIGRvd25sb2FkZWQ9IjEyNTQ5MTIyNCIgdG90YWw9IjEyNTQ5MTIyNCIgaW5zdGFsbF90aW1lX21zPSIzMDI2NiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateOnDemand.exe
"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.149\BraveUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
  "C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /ondemand
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
    "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --from-installer
    3⤵
    - Checks computer location settings
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=125.1.66.110 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffde5382c80,0x7ffde5382c8c,0x7ffde5382c98
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1616
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2104,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1676
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --field-trial-handle=2024,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=2392 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4532
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2268,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=2692 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4572
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5919201606591536668 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3364,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:2488
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5919201606591536668 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:2776
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --extension-process --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5919201606591536668 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=4100,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=4112 /prefetch:2
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:2256
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=renderer --extension-process --enable-distillability-service --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --brave_session_token=5919201606591536668 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4736,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=4748 /prefetch:2
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:1052
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --field-trial-handle=5208,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=4372 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3216
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=4908,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5260 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1392
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5216,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5412 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3276
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5544,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5564 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1900
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5280,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5264 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2204
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
      4⤵
      Executes dropped EXE
      PID:772
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=125.1.66.110 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff6b98e2fe0,0x7ff6b98e2fec,0x7ff6b98e2ff8
        5⤵
        Executes dropped EXE
        
        PID:5780
    - - C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\BraveSoftware\Brave-Browser\Application\initial_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:5536
      - C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe
        
        "C:\Program Files\BraveSoftware\Brave-Browser\Application\125.1.66.110\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=125.1.66.110 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff6b98e2fe0,0x7ff6b98e2fec,0x7ff6b98e2ff8
        6⤵
        Executes dropped EXE
        
        PID:5584
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5332,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5360 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:816
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5336,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5740 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3084
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5076,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=4872 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5492
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=6432,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=6396 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6032
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=6532,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=6552 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6060
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=6440,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=6528 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2524
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=6536,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=6836 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1960
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5384,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5504 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:5564
  - - C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe
      "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --field-trial-handle=5260,i,6359339623125814641,3664955797932339732,262144 --variations-seed-version=1 --mojo-platform-channel-handle=5684 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:5848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery